Why is an OAUTH2 Client Able to Access a Resource For Which it Does Not Have a Role Specified in the Privilege Protecting it?
(Doc ID 2972420.1)
Last updated on SEPTEMBER 05, 2023
Applies to:
Oracle REST Data Services - Version 23.1 and laterInformation in this document applies to any platform.
Goal
Given 2 ORDS resources: <res1> protected by privilege <priv1> and <res2> protected by privilege <priv2>
<priv1> has no roles defined, <priv2> has <role2> role,
Oauth2 <client1> is defined for resource <res1>, Oauth2 <client2> is defined for <res2>,
And the test case:
<client2> generates a token in order to access <res2>, and <client2> is authorized on <res2>, however, the same token is valid for accessing <res1>,
The Goal is to explain why <client2> is able to access <res1> for which has no role enumerated.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |